Beginner’s Guide to Mastering the Netstat Command on Linux

The netstat command is an essential tool for network administration. It displays information about the Linux networking subsystem including data on open network connections, routing tables and statistics about the installed network interfaces.

The simplest netstat command is just to run the tool without any parameter:

netstat

This will display a list of the current open connections on your machine. However the results can be a bit unwieldy. It is therefore better to break down the connections by type. To list all the open TCP connections, use:

netstat-t

The result is a list of the current connections being made to your computer. In the example above, you can see that my test machine is running a SSH server and that there are established SSH connections.

Notice the line which reads “Active Internet connection (w/o servers)“. The last part means that netstat didn’t include a list of any servers running on your machine; in other words, it didn’t list those programs which are waiting for TCP connections but currently have none established.

To get a list of the active TCP connections and a list of the ports which are listening for TCP connections, add the -a flag:

netstat-at

The -a stands for ALL and adds the set of listening ports. Looking down the list, you can see that my Linux computer is also waiting for SSH connections over IPv6.

The same information can also be generated for UDP using:

netstat-au

The opposite of the -a flag is the -l flag which makes netstat list the listening ports but omit the active connections.

To see a list of the processes that have open connections or are waiting for connections, use the -p flag:

sudonetstat-atp

You can use -p with both -t for TCP or -u for UDP. Also note that you need to run the command with sudo. The -p flag makes interpreting the connection list much easier. From the example above, you can see that not only is the SSH server running (sshd), but the machine has a CUPS server running along with the DNSMasq mini server.

If you need to check that a particular service is running, you can use netstat in conjunction with the grep command. For example, on my test setup, I installed an email server (postfix). To check that it is running, I can use the following:

sudonetstat-ltp|grep smtp

The -ltp flag tells netstat to only list the TCP servers (i.e. those processes listening for connections) and the grep command filters the output to only show the lines with the string “smtp.” As a result, we can see that the process “master” (which is the name of the main process of Postfix) is listening on IPv4 and IPv6 for incoming SMTP connections.

netstat is able to generate quite a lot of statistical information about the networking subsystem. Try the following commands:

netstat -i to get usage information about the network interfaces

netstat -ie to get extended usage information

netstat -s to get summary statistics for each of the networking protocols (i.e. TCP, UDP, ICMP and so on)

To get the current kernel routing table, use:

netstat-rn

Reading routing tables needs a trained eye, but essentially what the example above shows is that the default route (0.0.0.0) for all packets other than those for the local machine will be sent to 192.168.1.254, which in my test setup is the default gateway and my Internet modem/router.

You can run command without the -n flag which will mean that netstat will attempt to resolve the addresses.

The netstat man page has a full list of all the options available, you can read it using:

mannetstat

If you have any trouble with the examples given above, feel free to ask a question in the comments sections below.